sakula | 1debc837add53cd6baf31583a71385eab6aeefc19684549cffe5c539763a0b41

Analysis

max time kernel
135s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

241e21d6765c970c6092fbe0ba00a6af_JC.exe
Size

101KB
MD5

241e21d6765c970c6092fbe0ba00a6af
SHA1

721c1c3ad2214ce099756a44c77579ffcef55b6d
SHA256

1debc837add53cd6baf31583a71385eab6aeefc19684549cffe5c539763a0b41
SHA512

3f3568d60520fcbe6e9e2ad694bd6a093fd25b7d998fcd7ca3b18c7934de7907c58c63628245b3b76e04cf0da8446ece105a547240ff47e91a9bda2109513be3
SSDEEP

1536:9JbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrfPTEzo:/bfVk29te2jqxCEtg30BLbEE

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

www.savmpet.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

241e21d6765c970c6092fbe0ba00a6af_JC.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	241e21d6765c970c6092fbe0ba00a6af_JC.exe

Executes dropped EXE 1 IoCs

Processes:

AdobeUpdate.exe

pid process

800 AdobeUpdate.exe

pid	process
800	AdobeUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

241e21d6765c970c6092fbe0ba00a6af_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe"	241e21d6765c970c6092fbe0ba00a6af_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1948 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

241e21d6765c970c6092fbe0ba00a6af_JC.exe

description pid process

Token: SeIncBasePriorityPrivilege 236 241e21d6765c970c6092fbe0ba00a6af_JC.exe

pid	process
1948	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	236	241e21d6765c970c6092fbe0ba00a6af_JC.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

241e21d6765c970c6092fbe0ba00a6af_JC.execmd.exe

description	pid	process	target process
PID 236 wrote to memory of 800	236	241e21d6765c970c6092fbe0ba00a6af_JC.exe	AdobeUpdate.exe
PID 236 wrote to memory of 800	236	241e21d6765c970c6092fbe0ba00a6af_JC.exe	AdobeUpdate.exe
PID 236 wrote to memory of 800	236	241e21d6765c970c6092fbe0ba00a6af_JC.exe	AdobeUpdate.exe
PID 236 wrote to memory of 4964	236	241e21d6765c970c6092fbe0ba00a6af_JC.exe	cmd.exe
PID 236 wrote to memory of 4964	236	241e21d6765c970c6092fbe0ba00a6af_JC.exe	cmd.exe
PID 236 wrote to memory of 4964	236	241e21d6765c970c6092fbe0ba00a6af_JC.exe	cmd.exe
PID 4964 wrote to memory of 1948	4964	cmd.exe	PING.EXE
PID 4964 wrote to memory of 1948	4964	cmd.exe	PING.EXE
PID 4964 wrote to memory of 1948	4964	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\241e21d6765c970c6092fbe0ba00a6af_JC.exe
"C:\Users\Admin\AppData\Local\Temp\241e21d6765c970c6092fbe0ba00a6af_JC.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:236

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
2⤵
- Executes dropped EXE
PID:800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\241e21d6765c970c6092fbe0ba00a6af_JC.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
101KB

MD5
ead1cfbdd19983061d7248b1dd5ee7a9

SHA1
a9aea225b0e816f7d80e7e5dcdc6059e130ff683

SHA256
e12c0df041e4212b906987a8b80fc9f743590bd0c3854a189dfd6e2b7d132286

SHA512
6ced7efddd26b7cdc778b2d16b8c227b9765a5653486198d42e46fc00a82c3cf0d31f917d0c030f388586653d103618103699e633cd1d1c04a4576e539e6b37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
101KB

MD5
ead1cfbdd19983061d7248b1dd5ee7a9

SHA1
a9aea225b0e816f7d80e7e5dcdc6059e130ff683

SHA256
e12c0df041e4212b906987a8b80fc9f743590bd0c3854a189dfd6e2b7d132286

SHA512
6ced7efddd26b7cdc778b2d16b8c227b9765a5653486198d42e46fc00a82c3cf0d31f917d0c030f388586653d103618103699e633cd1d1c04a4576e539e6b37b

Download Submit